monkdiscuss
Co-Rion
<h1>What Happened</h1>
<p>Some time on May 20, 2009, an unused (but still on line) perlmonks server was
[http://en.wikipedia.org/wiki/Hacker_(computer_security)#Black_hat|hacked], and its root
password obtained by unknown individuals.
The hacker(s) dumped contents from the perlmonks user database on that machine, data
which is estimated to be current as of approximately September 2008.
</p><p>
The exploit was published in a hacker [wp://e-zine] published on July 28,
and was brought to the attention of PerlMonks [gods|administrators] later that night.
</p><p>
The published material included the passwords, email addresses, and "real" names of all
of the members of [janitors] and [Saints in Our Book]*. However, the hackers presumably
obtained, and could distribute, the user info of <i>all</i> perlmonks users &mdash;
at least those existing as of last September.
</p><p>
As far as is known, the main perlmonks servers have not been hacked.
</p>
<p><small>* The list of Saints used appears by some indications to be a more recent one,
from perhaps mid-April.</small></p>
<h1>What Is Being Done In Response</h1>
<h2>Notifying Users</h2>
<p>Alert reader [OverlordQ] brought the leak to the attention of PerlMonks [gods|administrators]
late in the evening of July 28.
</p>
<p>
At approximately 0130 UTC of July 29, an administrator of the <tt>perlmonks</tt> group
on Facebook sent a broadcast message to all members of that group,
notifying them of the event and advising them to change their PerlMonks passwords.
</p><p>
At about 1600 UTC of July 29, a notice was posted on [the Monastery Gates].
</p><p>
At about 2100 UTC of July 29, PerlMonks [gods|administrators] sent an email to the email
addresses of record of the approximately 580 users whose user info was published,
notifying them of the event and advising them to change their PerlMonks passwords.
</p><p>
Unfortunately, not all of the ~580 users whose passwords were published had working emails.
In many cases, the [gods] have attempted to contact those individuals by alternate email
addresses or other means. If you think you should have received such an email but have not,
please check your spam folder for email from <tt>perlmonks<c>@</c>corion.net</tt>.
</p><p>
At some time prior to that, the [gods] changed the passwords of those users (out of the 580)
who had not yet already changed them. (Noted by [tye] in [id://784379])
</p><p>
Lastly, this post is an official notification and status message to the members and visitors
of the PerlMonks web site.
</p><p>
Any changes to the site as a consequence of this event will be announced in [Tidings].
</p>
<h2>Closing the Hole</h2>
<p>
PerlMonks [gods|admins] are working with the Pair.com folks (who manage our hardware and
connectivity resources) to evaluate and strengthen security on the servers.
No information is available at this time as to the status of this effort.
</p>
<h2>Strengthening Authentication</h2>
<p>
The [gods|administrators] are planning to implement hashed passwords (allowing more than 8 chars).
</p>
<h1>What Should You Do?</h1>
<p>
If you have already changed your password, you are set (at least until the next time
someone steals the info from our user database).
If you have not, and you are one of the ~580 users whose user info was leaked,
your password has been changed for you.
Use [id://2513] to request an e-mail containing your new, randomly generated password.
</p><p>
<i>All</i> PerlMonks registered users are <strong>strongly <!-- :-) --> encouraged</strong>
to have a current email address in their profile in case further administrative password resets are necessary.
Emails can be set/changed by going to your homenode and clicking "Edit your Profile".
</p><p>
<b>Caution:</b> If you used your PerlMonks password on any other service (other sites, email, etc.),
you should change those other passwords now &mdash; and for, [wp://Flying Spaghetti Monster|FSM]'s sake,
<b>do NOT reuse passwords!</b> Ever!
</p><p>
If you are unable to log in due to a lost/changed password and email isn't working,
you may send a message to the [gods] via the form at [id://491035].
Alternatively, you may contact the PerlMonks administrators via email, at <tt>perlmonks.org<c>@</c>gmail.com</tt>.
</p>
<p>Many thanks must go out to [jdporter] who collected all this information and wrote it up in a presentable manner.</p>
[Co-Rion] for the [gods]
<p><small><b>PS -</b> The [Cabal|perlmonks maintainers] wish to extend a hearty high-five of gratitude to
noble monk <b>[OverlordQ]</b>, who had the integrity and presence of mind to bring the security leak
to our attention. Although, we do have to wonder what he was doing reading a hacker e-zine in the first place...
;-)
</small></p>